There are many things to consider when making passwords
more secure. A person should choose a password that is not easily
associated with something readily identified with them. For
example, avoid family member’s names, pet names, favorite sports or
activity, hometown, etc. Choose a word that is not in the
dictionary. There are hacker utilities available that will run
through every word in the dictionary, trying all of them
systematically in an attempt to gain access to an account. Adding
numbers is another common way people change passwords. Someone
might use “January10” for their password because that was the date
they created it, and when the account requires a password change,
they may very well simply change the password to “January11” to make
remembering it easier. Hackers will frequently move from a
dictionary attack to a modified attack in which they add numbers to
the end of each word in the dictionary. This slows down the process
due to the large number of attempts required. However, hackers will
sometimes modify this to use the dictionary words in order of
popularity. There are lists of commonly used passwords, which
hackers use to make their attack faster.

Selecting a password that is not a dictionary
word and includes numbers does not necessarily guarantee safety.
The next tool that hackers can use is a brute-force attack. This
attack tries every combination of letters and numbers until it finds
a valid combination. This means that if this attack is used,
“my1dog” is just as likely to be hacked as “password.” The best
defense against a brute-force attack is password length and alphabet
selection. A four-character password will take less time to hack
than one that is eight-characters long. A password involving only
lower-case letters is less secure than one using lower-case letters
and numbers.

Figure 1.6 shows the maximum time needed to
complete a brute-force attack. Notice that simply going from a six
to a seven-character password using only lower-case letters
increases the time from less than one hour to nearly one day.
Adding numbers to the password increases the time to nine days.